Review the following considerations before connecting an on-premises Kubernetes cluster or a cluster from another cloud provider to Alibaba Cloud Distributed Cloud Container Platform (ACK One) as a registered cluster.
Network connectivity
Stable connectivity between your self-managed Kubernetes cluster and Alibaba Cloud is required. When your cluster accesses Alibaba Cloud resources over the Internet, instability issues such as timeouts may occur.
For node pools, self-managed Kubernetes clusters must connect to ACK One registered clusters through the internal network, not over the Internet.
Additional network constraints:
ACK One registered clusters do not support creating or using Services of type LoadBalancer.
If connecting an on-premises Kubernetes cluster through the public endpoint of an ACK One registered cluster, configure access control for the Server Load Balancer (SLB) of the API server that listens on port 6443 to prevent security risks.
Data security
Restricted mode is available in ACK One registered clusters. The ack-cluster-agent component deployed in your self-managed Kubernetes cluster:
Only accesses its own ConfigMap configurations
Does not read any cluster data
Performs no intrusive write operations
Has zero impact on existing workloads
Component management
ACK One registered clusters support deploying cloud-native middleware — including log collection, monitoring, and alerting — to your self-managed Kubernetes clusters. You may need to authorize these components to access specific cloud resources before using them.
To authorize a component:
Provide your AccessKey information.
Grant the middleware the permissions it needs to access the required cloud resource.
Create a Secret named
alibaba-addon-secretto store your AccessKey information.
For details, see Grant permissions to a registered cluster.
Node pools
The node pool feature scales cloud Elastic Compute Service (ECS) resources for self-managed Kubernetes clusters. Before using node pools, confirm the following:
The self-managed Kubernetes cluster connects to the ACK One registered cluster through the internal network.
The on-premises container network plug-in runs only in the on-premises network. The Terway plug-in runs only on ECS instances.
The initialization script for nodes in the self-managed Kubernetes cluster is ready.
Shared responsibility
Self-managed Kubernetes clusters differ from Container Service for Kubernetes (ACK) clusters in version, cluster initialization method, and node configuration. For example, components such as Container Storage Interface (CSI) and MetricServer may use different default configuration file paths or ports than those expected by ACK. As a result, these components may not run as expected in self-managed clusters. Stability of these components is a shared responsibility between you and ACK.